In absence of CORS configuration, WebSocket/SockJS allows same origin. Once an origin is added, same origin stops working (e.g. breaks in Chrome which sends an Origin header even even for same origin).
This doesn't seem intuitive. On the MVC side we seem to have chosen to allow same origin regardless, which makes more sense.